ZwQuerySystemInformation

OSR_Community_User · September 24, 2008, 3:13pm

Dear all

I want to use ZwQuerySystemInformation or NtQueySystemInformation functions
in my driver but the "Undefined , Assuming extern returning int " error is
appeared.

Can anyone tell me why?

Cheers
Shabnam

Don_Burn_1 · September 24, 2008, 3:16pm

Because they are undefined for the kernel! You have to roll your own
external definition and recognize that the functions are poorly documented
and subject to change.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“shabnam3x” wrote in message news:xxxxx@ntdev…
> Dear all
>
> I want to use ZwQuerySystemInformation or NtQueySystemInformation
> functions
> in my driver but the "Undefined , Assuming extern returning int " error is
> appeared.
>
> Can anyone tell me why?
>
>
> Cheers
> Shabnam
>

OSR_Community_User · September 24, 2008, 3:34pm

Ok , thanks but in the all sample source codes, these functions have used
without any differences with defined functions

On Wed, Sep 24, 2008 at 10:45 PM, Don Burn wrote:

> Because they are undefined for the kernel! You have to roll your own
> external definition and recognize that the functions are poorly documented
> and subject to change.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
>
>
> “shabnam3x” wrote in message news:xxxxx@ntdev…
> > Dear all
> >
> > I want to use ZwQuerySystemInformation or NtQueySystemInformation
> > functions
> > in my driver but the "Undefined , Assuming extern returning int " error
> is
> > appeared.
> >
> > Can anyone tell me why?
> >
> >
> > Cheers
> > Shabnam
> >
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn_1 · September 24, 2008, 3:36pm

I know of no Microsoft kernel sample that uses them, and many of the samples
on the web that use these get them wrong.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“shabnam3x” wrote in message news:xxxxx@ntdev…
> Ok , thanks but in the all sample source codes, these functions have used
> without any differences with defined functions
>
> On Wed, Sep 24, 2008 at 10:45 PM, Don Burn wrote:
>
>> Because they are undefined for the kernel! You have to roll your own
>> external definition and recognize that the functions are poorly
>> documented
>> and subject to change.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>>
>>
>>
>> “shabnam3x” wrote in message news:xxxxx@ntdev…
>> > Dear all
>> >
>> > I want to use ZwQuerySystemInformation or NtQueySystemInformation
>> > functions
>> > in my driver but the "Undefined , Assuming extern returning int " error
>> is
>> > appeared.
>> >
>> > Can anyone tell me why?
>> >
>> >
>> > Cheers
>> > Shabnam
>> >
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

Pavel_A1 · September 24, 2008, 3:56pm

shabnam3x wrote:

Dear all

I want to use ZwQuerySystemInformation or NtQueySystemInformation
functions in my driver but the "Undefined , Assuming extern returning
int " error is appeared.

Can anyone tell me why?

Cheers
Shabnam

You can try to #include winternl.h from the latest SDK.
It has prototype for ZwQuerySystemInformation and defines
some info classes.

Good luck.
–PA

Tim_Roberts · September 24, 2008, 4:34pm

shabnam3x wrote:

Ok , thanks but in the all sample source codes, these functions have
used without any differences with defined functions

No, I don’t think so.

C:\Dev>findstr /s QuerySystemInformation \DDK\6001.18000\src*.c

C:\Dev>

If you fetched a sample off of the web, then you are only seeing a
snippet of the code. They assume you will be able to supply the
prototype yourself.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Charansing_Deore · September 25, 2008, 2:05am

In one of my user mode project I did it this way because i could not find
any lib files for these APIs. I am not sure how to do it in kernel (instead
of NtQueySystemInformation i have used NtQueryInformationProcess here)

long fnNtQueryInformationProcess(HANDLE ProcessHandle,//IN
PROCESSINFOCLASS ProcessInformationClass,//IN
PVOID ProcessInformation,//OUT
ULONG ProcessInformationLength,//IN
PULONG ReturnLength)//OUT
{
typedef long (__stdcall
*MYPROC)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);
long lRetVal;
MYPROC MyNtQueryInformationProcess;
HMODULE hModule;

hModule = GetModuleHandle(“NTDLL.DLL”);
MyNtQueryInformationProcess = (MYPROC)GetProcAddress(hModule,
“NtQueryInformationProcess”);
lRetVal = MyNtQueryInformationProcess(ProcessHandle,
ProcessInformationClass,
ProcessInformation,
ProcessInformationLength,
ReturnLength);
return lRetVal;
}

On Thu, Sep 25, 2008 at 12:42 AM, shabnam3x wrote:

> Dear all
>
> I want to use ZwQuerySystemInformation or NtQueySystemInformation functions
> in my driver but the "Undefined , Assuming extern returning int " error is
> appeared.
>
> Can anyone tell me why?
>
>
> Cheers
> Shabnam
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

–
Thanks and Regards,
----------------------------------------------------------------
Charansing D Deore
Sr. Software Developer,
CalSoft Pvt Ltd.
Baner Road, Pune-411045
Office: +91 20 39853000 Ext: 3055
Cell: +91 9850960550

raj_r · September 25, 2008, 11:42am

are you asking what could be the equivalent for GetProcAddress Routine
if yes then it could be

lkd> .fnent nt!MmGetSystemRoutineAddress
Debugger function entry 00d561e0 for:
(805a2130) nt!MmGetSystemRoutineAddress | (805a22b6) nt!MmLoadSystemImage
Exact matches:
nt!MmGetSystemRoutineAddress =

OffStart: 000cb130
ProcSize: 0xf6
Prologue: 0xb
Params: 0n1 (0x4 bytes)
Locals: 0n8 (0x20 bytes)
Non-FPO

iirc it takes a pointer to unicode string

be aware this function has got some bugs that can cause bsod in
earlier os iirc wxp sp1 and less search osr threads also in hectors
memos for the explanation

and also be aware that most of the posters here shun replying to
threads that use undocumented stuff

regards

raj_r